Specific application code auditing is nothing new, as Veracode - as well as companies like Fortify and Qualys - have been offering these types of services for some time, Infosecurity notes, but the move by Veracode will give businesses the ability to measure the security and code audit rating of the programmes in active use in their organisation.
Under the new service, Veracode users will be able to set peer-based or industry-based benchmarks for the security quality of internally developed software, as well as establish appropriate third-party purchase and acceptance criteria, and address what Veracode calls "increasingly thorough audit or compliance requirements."
Known as 'Security Insights', the new service is based around Veracode's cloud-based application risk management services platform, which draws on anonymous data from customers around the world, and gives them a score rating for their in-house software.
Interestingly, the Veracode service provides a simplistic button-based interface marked 'compare me' that compares the company's software portfolio against the aggregated security quality benchmarks from thousands of applications in the industry.
Matt Moynahan, Veracode's CEO, said that the new service was designed to make it easier for our customers to solidify their software infrastructure before they are attacked or fall victim to a zero-day application vulnerability.
"Because Veracode's application intelligence from our cloud-based service is as dynamic as the threat environment itself, no enterprise or on-premise tool can provide this level of comprehensive analysis that users can immediately turn into business decision-making intelligence", he said.
"Rather than merely responding to breaches and threats, executives now have what it takes to make pro-active, enforceable decisions on the level of acceptable application security quality before the attack takes place", he added.
Veracode points to recent examples of third-party risk such as the Google-China incident that it says have created recognition of the need for operating controls to manage application risk.
This, the company says, is where 'Security Insights' enters the frame, as it allows businesses to set specific acceptance criteria and internal security policies.